Page created: 12 Sep 2019 |
Page updated: 19 Mar 2020
To enable Kerberos authentication, you must make several Active Directory configuration changes to grant PingFederate access to the domain and add the domain to PingFederate.
Do not configure subdomains if the parent domain in the same forest has already been configured (see Multiple-domain support).
You must have Domain Administrator permissions to make the required changes.
- Create a domain user account that PingFederate can use to contact the Kerberos Key Distribution Center (KDC). The account should belong to the Domain Users group. We recommend that the password be set with no expiration.
Use the Windows utility setspn to register SPN directory
properties for the account by executing the following command on the domain
setspn -s HTTP/<pf-idp.domain.name> <pf-server-account-name>
- The canonical name of the PingFederate server.
- (For more information on "canonical name", see https://tools.ietf.org/html/rfc2181#section-10.)
- The domain account you want to use for Kerberos authentication.
When executing the setspn command,
HTTPmust be capitalized and followed by a forward-slash (
Verify that the registration was successful by executing the following
setspn -l <pf-server-account-name>
This gives you a list of SPNs for the account. Verify that
HTTP/<pf-idp.domain.name>is one of them.Note:
After making an SPN change, any end-users already authenticated must re-authenticate (close the browser or log off and back on) before attempting SSO.